My last post included an updated Postfix main.cf that was better at blocking spam and minimizing false positives through the use of DNS white lists (DNSWLs), but after a few days it was still letting in more spam than I wanted. I did additional tweaking and the following seems to work better, while still preventing false positives.

The main changes included specifying the following additional Postfix restrictions:

  • smtpd_sender_restrictions
  • smtpd_helo_restrictions
  • smtpd_data_restrictions
smtpd_helo_restrictions =
	reject_unknown_helo_hostname

smtpd_data_restrictions =
	reject_unauth_pipelining

smtpd_client_restrictions =
	permit_dnswl_client list.dnswl.org,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,

smtpd_sender_restrictions =
	reject_unknown_sender_domain,
	reject_unknown_address,
	reject_rhsbl_sender dsn.rfc-ignorant.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rbl_client b.barracudacentral.org,

smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unauth_destination,
	permit_dnswl_client list.dnswl.org,

	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh15.spameatingmonkey.net,
	reject_rhsbl_client fresh15.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rhsbl_client hostkarma.junkemailfilter.com=127.0.0.2,

	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client dnsbl.njabl.org,
	reject_rbl_client bl.tiopan.com,
	reject_rbl_client spamsources.fabel.dk,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client ubl.unsubscore.com,
	reject_rbl_client aspews.ext.sorbs.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client backscatter.spameatingmonkey.net,
	reject_rbl_client bl.spameatingmonkey.net,

	permit

12/1/2012 update: I removed reject_rhsbl_sender dsn.rfc-ignorant.org since it is no longer up as of 11/30/2012